When you restore original visitor IP it bans that ip in fail2ban, not any cloudflare ip. (That is perfect)
The issue is that even though you ban the original ip, traffic from the original visitor ip over records that are orange clouded will be able to continue attacks unmitigated. Only if you have traffic over grey clouded records will it stop the original ip from continuing the attack unmitigated.
The only solution I have found is using the cloudlfare api to add banned ip addresses to cloudflare.
This is not a real viable option as a site that has been under heavy attack can have over the limit of ip addresses listed.
Is there something missing in the Can I still use fail2ban while using Cloudflare article?